A system for detection of email risk automatically determines that a first party is considered by the system to be trusted by a second party, based on at least one of determining that the first party is on a whitelist and that the first party is in an address book associated with the second party. A message addressed to the second party from a third party is received. A risk determination of the message is performed by determining whether the message comprises a hyperlink and by determining whether a display name of the first party and a display name of third party are the same or that a domain name of the first party and a domain name of the third party are similar, wherein similarity is determined based on having a string distance below a first threshold or being conceptually similar based on a list of conceptually similar character strings. Responsive to determining that the message poses a risk, a security action is automatically performed comprising at least one of marking the message up with a warning, quarantining the message, performing a report generating action comprising including information about the message in a report accessible to an admin of the system, and replacing the hyperlink in the message with a proxy hyperlink.
Legal claims defining the scope of protection, as filed with the USPTO.
2. The system of claim 1 wherein a request associated with the proxy hyperlink causes the system to: determine the hyperlink from the proxy hyperlink; determine whether a site associated with the hyperlink is associated with risk; and based on the determination whether the site associated with the hyperlink is associated with risk, cause a warning to be displayed or a redirection to be made from the proxy hyperlink to the hyperlink.
3. The system of claim 2 further comprising determining whether the site associated with the hyperlink is associated with risk before the request associated with the proxy hyperlink is received.
4. The system of claim 2 further comprising determining whether the site associated with the hyperlink is associated with risk in response to receiving the request associated with the proxy hyperlink.
5. The system of claim 1 wherein in response to receiving a request associated with the proxy hyperlink: determine the hyperlink from the proxy hyperlink; verify content of a site associated with the hyperlink, and based on a result of the verification, cause at least one of a warning to be displayed and a redirection to be made from the proxy hyperlink to the hyperlink.
6. The system of claim 1 wherein the proxy hyperlink encodes at least a portion of the hyperlink.
7. The system of claim 1 wherein the security action comprises at least one of: initiating a multi-factor authentication verification, modifying the display name of the message, transmitting a notification or a warning to an address associated with the second party, collecting information comprising at least one of an IP address, a cookie, and browser version information, and transmitting a confirmation request to an address associated with the first party, the confirmation request comprising at least a portion of the message.
8. The system of claim 7 wherein a confirmation received in response to the confirmation request comprises at least one of an entered code or a clicked link, wherein the link is included in the confirmation request.
9. The system of claim 8 wherein information associated with the clicked link is collected, wherein the information comprises at least one of the IP address, the cookie, and the browser version information.
10. The system of claim 1 wherein the risk determination is further based at least in part on at least one of: an indication of spoofing, an indication of account takeover, a presence of a reply-to address, a geographic inconsistency, detection of a new signature file, detection of a new display name, detection of high-risk email content, detection of an abnormal delivery path, and based on analysis of attachments.
11. The system of claim 1 wherein an address associated with the first party is determined to be a secondary communication channel associated with at least one of the first party and an admin associated with the first party.
12. The system of claim 1 wherein the security action further comprises transmitting a confirmation request to an address associated with the first party, the confirmation request comprising at least a portion of the message, wherein the message is delivered to the second party based on verification of information received in response to the confirmation request.
15. The method of claim 14 wherein a request associated with the proxy hyperlink results in the method: determining the hyperlink from the proxy hyperlink; determining whether a site associated with the hyperlink is associated with risk; and based on the determination that the site associated with the hyperlink is associated with risk, causing a warning to be displayed or a redirection to be made from the proxy hyperlink to the hyperlink.
16. The method of claim 15 further comprising determining whether the site associated with the hyperlink is associated with risk before the request associated with the proxy hyperlink is received.
17. The method of claim 15 further comprising determining whether the site associated with the hyperlink is associated with risk in response to receiving the request associated with the proxy hyperlink.
18. The method of claim 14 further comprising in response to recieving a request associated with the proxy hyperlink determining the hyperlink from the proxy hyperlink; verifying content of a site associated with the hyperlink, and based on a result of the verification, causing a warning to be displayed or a redirection to be made from the proxy hyperlink to the hyperlink.
19. The method of claim 14 further comprising causing the proxy hyperlink to encode at least a portion of the hyperlink.
20. The method of claim 14 wherein the security action comprises at least one of: initiating a multi-factor authentication verification, modifying the display name of the message, transmitting a notification or a warning to an address associated with the second party, collecting information comprising at least one of an IP address, a cookie, and browser version information, and transmitting a confirmation request to an address associated with the first party, the confirmation request comprising at least a portion of the message.
21. The method of claim 14 further comprising basing the risk determination at least in part on at least one of an indication of spoofing, an indication of account takeover, a presence of a reply-to address, a geographic inconsistency, detection of a new signature file, detection of a new display name, detection of high-risk email content, detection of an abnormal delivery path, and an analysis of attachments.
22. The method of claim 14 further comprising determining that an address associated with the first party is a secondary communication channel associated with at least one of the first party and an admin associated with the first party.
23. The method of claim 14 wherein the security action further comprises transmitting a confirmation request to an address associated with the first party, the confirmation request comprising at least a portion of the message, the method further comprising enabling a confirmation in response to the confirmation request to comprise at least one of entered code or a clicked link, wherein the clicked link is included in the confirmation request.
24. The method of claim 23 further comprising collecting information associated with the clicked link, wherein the information comprises at least one of an IP address, a cookie, and browser version information.
25. The method of claim 14 further comprising delivering the message to the second party based on verification of information received in response to a confirmation request.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 30, 2020
February 28, 2023
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.